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Video game consoles can no longer be viewed as just gaming consoles but rather as full 
multimedia machines, capable of desktop computer-like performance. The past has shown 
that game consoles have been used in criminal activities such as extortion, identity theft, 
and child pornography, but with their ever-increasing capabilities, the likelihood of the 
expansion of criminal activities conducted on or over the consoles increases. This research 
aimed to take the initial step of understanding the Xbox One, the most powerful Microsoft 
console to date. We report the outcome of conducting a forensic examination of the Xbox 
One, and we provide our Xbox One data set of hard drive images and unique files so that 
the forensic community may expand upon our work. The Xbox One was found to have 
increased security measures over its predecessor (Xbox 360). The encryption of the data 
and the new file types introduced made it difficult to discern potential digital evidence. 
While these added security features caused great difficulty in forensically acquiring digital 
forensic artifacts, some important and interesting digital evidence was gathered using 
open-source tools. We were able to find digital evidence such as times that the user 
initially set up the console, and times when the system was restored or shutdown. We 
were also able to determine what games and applications had been downloaded along 
with when the games were played. Finally, through our network forensic experiments, we 
were able to determine that various applications had different levels of security and that 
game traffic was encrypted. 

© 2014 Digital Forensics Research Workshop. Published by Elsevier Ltd. All rights reserved. 


Introduction 


As the capabilities of these gaming consoles increase, so 
does the potential for them to be used in illicit activities. 


According to Forbes, as of January 2014, Microsoft had 
sold approximately 3.4 million Xbox One units since its 
release on November 22, 2013. In recent years, Microsoft's 
Xbox systems have maintained top gaming console sales 
amongst its competitors. 

Gaming systems are now comparable to desktop com- 
puters such that they are just as powerful, have networking 
capabilities, they contain high-powered graphics pro- 
cessors and a large amount of storage. 


* Corresponding author. Tel.: +1 203 932 7198. 
E-mail address: |Baggili@newhaven.edu (I. Baggili). 
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Criminal investigators have historically sought to gather 
evidence from PCs, mobile phones, PDAs, and other mobile 
devices; however, they may overlook these gaming con- 
soles even though they can potentially contain valuable 
forensic artifacts that can be used for evidentiary purposes. 
It is imperative to provide analysis of the Xbox One to 
provide investigators an understanding of the proprietary 
system with hopes of retrieving the evidence it may hold. 

This research serves as an initial examination of the 
Xbox One and its file system, allowing investigators some 
information on how to investigate an Xbox One. This in- 
cludes understanding the file structure of the system, what 
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forensically valuable information is available on the con- 
sole, and where that information may be located. 


Contribution 


With the more advanced functionality, power, and 
complexity that the Xbox One holds over the previous 
generations of consoles, it is important to understand 
where to find digital evidence on the hard drive and how to 
retrieve it. To the best of our knowledge, this research is the 
first research-centric digital forensic investigation of an 
Xbox One, which aims to provide a base for which future 
works on the device. 

In addition to the research provided, we release a data 
set containing the hard drive images along with exported 
files that have a unique, unknown file types. This will 
provide the forensic community with a data set that allows 
further digital forensic research on the Xbox One. This data 
set will include the hard drive images from Phase I and 
Phase II as well as various files found on the device. It can be 
requested at http://www.unhcfreg.com <Data & Tools> 
and will be made available upon the request and identity 
verification of the researchers. 


Literature review 
Gaming consoles and criminal activity 


As the popularity of gaming consoles increases, so do 
the instances in which a console is used to commit a crime. 
Criminals often hide illicit data on gaming consoles such as 
the Xbox, Xbox 360, Sony PlayStation 3 and 4, and the 
Nintendo Wii in hopes that the console will not be 
perceived as a likely evidence target, especially when per- 
sonal computers have been seized as evidence (Collins, 
2009). Consoles have been known to harbor fraudulent 
documents, illegal software, indecent images, etc., and have 
been used to steal identities (Vaughan, 2004; Conrad et al., 
2009; Podhradsky, Sley, D'Ovidio, & Casey, 2011). Other 
notable cases don't involve just storage of illicit material, 
but the crimes are actually committed over the gaming 
network. A known case in this regard involves using Xbox 
Live to exploit children (Bolt, 2011). 


Forensic analysis of a Sony PlayStation 3 gaming console 


The PlayStation 3's operating system was found to be 
encrypted despite providing the option to install and runa 
secondary operating system. Furthermore, of great impor- 
tance in this published study was the finding that digital 
forensic acquisition tools were able to recognize partitions 
and identify the file system, however the tools were not 
able to actually read the files and displayed said files as 
unpartitioned space (Conrad et al., 2009). 


Xbox 360 


While the video game console forensic field is still in its 
infancy, some work has been conducted on the newer con- 
soles, albeit, the information is limited and still needs to be 
expounded upon. These works have aided with highlighting 


the importance of forensically analyzing gaming consoles 
for evidentiary purposes, while also providing awareness to 
the fact that a video game console is now being used as a 
media hub and for using the Internet in various ways. 

It has been shown that an unmodified Xbox 360 can 
provide interesting digital forensic artifacts that are useful in 
a criminal investigation including alibies, online presence, 
and activities whether innocent or illegal. Log files saved to 
the hard drive identified the timestamps of gaming sessions 
including the time, date, and length of a gaming session, the 
gamertags (online user names) of the online players during 
interactive sessions, and network activity (Xynos et al., 2010). 


Modding 


An ‘out-of-the-box’ Xbox or Xbox 360 only allows code 
to be run that is authorized by Microsoft. Therefore, con- 
ducting activity that is outside the scope of what Microsoft 
had envisioned for their system, i.e. saving personal data to 
the hard drive, was not possible. However, the system was 
quickly hacked by modders allowing the system to be used 
as if it was a personal computer. These modifications 
typically allow users to run alternate operating systems 
(typically Linux based), execute illegal software, save per- 
sonal data, conceal partitions, etc. Many tools, along with 
websites and comprehensive guides, were developed 
allowing even the average user access to these modifica- 
tions (Modfreakz, 2009). 


Methodology and tools 


The methodology and tools used in this research fol- 
lowed the guidelines for forensically examining artifacts as 
deemed by NIST (Kent et al., 2006). 

This research was separated into three separate phases: 


e Phase 1 — The Xbox One was restored to factory settings. 
The hard disk drive was then removed from the system 
and forensically imaged while using a hardware write- 
blocker. Various methods of analysis of the hard drive 
were followed. 

e Phase II — The hard drive was reinstalled into the system 
and the staged events below were conducted. Once all 
the events were completed, imaging and analysis were 
performed as in Phase I: 

e Installed Battlefield 4, played in both multiplayer and 
single player modes. 

e Installed Dead Rising 3, played in both multiplayer and 
single player modes. 

e Installed and used various apps, which consisted of: 
Skype, Twitch, YouTube, Xbox Video, Xbox Music, and 
FXNow. 

e A cable box was hooked up through the Xbox One to 
allow television to be viewed through the console. 

e The user signed in using the facial recognition feature. 

e The user signed in without using the facial recognition 
feature. 

e Viewed friend's gameplay videos. 

e Phase III — Since the Xbox One would undoubtedly be 
used in an online environment; some analysis of the 
interaction between the Xbox One and the Internet was 
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required. The following controlled events were used to 

examine this communication: 

e Used the YouTube, Skype, Internet Explorer, Twitch, 
and Game DVR applications. 

e Played Battlefield 4 in single player and on the Xbox 
Live network with other users. 

e Played Dead Rising 3 in single player and on the Xbox 
Live network with other users. 

e Signed in and out of the user's profile. 


Image acquisition 


Forensic guidelines state that the copies of the source 
drive must be taken in a manner such that any potential 
evidence present on the system will experience minimum 
alteration. The Xbox One came with a SATA hard disk drive 
which was removed from the system and connected to a 
Forensics Recovery of Evidence Device (FRED) to be imaged 
using AccessData's FTK Imager (AccessData, 2013). FRED 
contains a built-in write-blocker, which was validated 
before the imaging process was started. Hashes of the hard 
drive were taken before and after imaging to ensure that no 
data on the drive was modified during the imaging process 
so that a forensically sound image of the hard disk was 
created. 


Autopsy 


After the image was acquired, Autopsy was used to 
preliminarily examine at the data on the hard disk drive 
and perform a keyword search (Carrier, 2013). The key- 
words were derived from the procedures of the experi- 
mental scenario such as the names of the games played, the 
names of the researchers, the string of words used in an 
email, and the dates and times the system was used. 


Data carving 


Data carving involves reconstructing files based on their 
content, rather than the metadata that points to the con- 
tent (Garfinkel, 2007). It is an important technique in dig- 
ital forensics allowing investigators to recover data that 
may otherwise be lost. There are many forensic tools 
available to accomplish this task, two open-source tools 
with a strong reputation were chosen for this research — 
bulk_extractor and Scalpel. 

bulk_extractor is a forensic tool that scans a disc image 
and extracts information without parsing the file system or 
file system structure (Garfinkel, 2012). It is capable of 
processing different areas of the disk in parallel, does not 
miss data in unallocated regions of file systems and can 
process any type of digital media, making bulk_extractor 
fast, thorough, and flexible. 

Scalpel is a high performance file carver that is based on 
three primary requirements: i) Frugality — allowing it to 
run on machines with low resources, ii) High performance 
— making it able to perform carving as fast as possible, and 
iii) Support for distributed implementation — giving it the 
ability to be adaptable to a distributed cluster based digital 
forensics platform (Richard III & Roussev, 2005). 


Network analysis 


To examine the packets being sent to and from the Xbox 
One, a shared Internet connection was established between 
a host computer, which had Internet access, and the Xbox 
One device. This was accomplished by connecting the Xbox 
One via an Ethernet cable to the host computer, which then 
provided the Xbox One with an Internet connection. 

Two tools were chosen to carry out network acquisition 
and analysis; Wireshark and NetworkMiner. Wireshark is a 
network packet analyzer that captures packets and displays 
them with as much detail as possible (Combs, 2013). Net- 
workMiner is used to detect operating systems, sessions, 
hostnames, open ports etc., and has the ability to recon- 
struct data in PCAP files to reassemble transmissions 
(NETRESEC, 2013). 


Analysis 
Partition layout 


The Xbox One's hard disk contained the five NTFS par- 
titions shown in Table 1. 

Factory restoration of the console took place at 8:50 PM 
UTC on 1/20/2014 (the Xbox One records timestamps in 
UTC). This timestamp was carried by the NTFS metadata 
structures found on every NTFS partition. This research 
took place in the Eastern Standard Time (EST) zone; 
therefore the timestamps were all five hours ahead of the 
local time. For consistency with the figures throughout the 
document, all of the times in this paper will be in UTC. 


Preliminary results 


Data carving with bulk_extractor and Scalpel proved to 
be ineffective, likely due to the encryption and/or 
compression, which we assume to be in use on the Xbox 
One (see below). Scalpel was able to carve a multitude of 
files but they could not be opened or viewed — indicating 
that the files were carved incorrectly. Likewise, bulk- 
extractor extracted a large quantity of text from the vol- 
ume, but most was not human readable. This left us to 
parsing the MFT to draw conclusions and locate potential 
digital evidence, and to analyze the files we could find from 
a logical view of the file system. The files we could locate 
were of unknown binary file types, and were not human 
readable. Most files had the extension “xvd”, but this is no 
guarantee that they share the same file type. In order to 
speculate as to the nature of these files, we calculated an 
entropy score for each file, applying the Forensic Relative 


Table 1 

Xbox One partitions. 
Partition Size (MB) 
Temp Content 41,984 
User Content 373,760 
System Support 40,960 
System Update 12,288 
System Update 2 7168 
Unpartitioned Space GPT 
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Strength Scoring approach to explore the nature of the 
unknown file types (Shannon, 2004). The entropy score for 
each file was expressed as the minimum number of bits 
needed to encode each byte of information in the most 
optimal compression regime. Human readable text formats 
tend to score between 3 and 5 bits per byte, while 
encrypted or compressed files tend to score between 7 and 
8 bits per byte (Shannon, 2004). 


Master file table 


The MFT is the most important feature of NTFS. The MFT 
includes all of the information about the files on the sys- 
tem; there is at least one entry in the MFT for every file on 
an NTFS file system volume, including the MFT itself. The 
data within a MFT contains file metadata, information that 
could be very helpful for investigators. Metadata is the data 
in the file system that describes the layout and attributes of 
the files and directories, i.e., timestamps, file size, etc. 
(Buchholz and Spafford, 2004). This can assist investigators 
in determining timelines, patterns of use, suspicious files, 
etc. 

The MFT of each partition was parsed using a program 
known as mft2csv, an open-source tool. An $MFT file is 
taken as an input, information is extracted from the $MFT 
records and is logged it to a comma-separated values (CSV) 
file (Schicht, 2014). 

The following sections will discuss the information that 
was discovered on each of the system's partitions. 


Temp content partition 


Figs. 1 and 2 highlight the content of the root directory 
in the temp content partition both before and after use. 

There were several areas of interest in this partition. By 
calculating MD5 hash digests for files from both the 
“before” and “after” images, we noticed that these files 
experienced modifications during the usage scenario: 
appswapfile.xvd, AppTempStorage, $sosrst.xvd AppUserStor- 
age, ConnectedStorage-retail, and GDVRIndex.xvd. 

Of the abovementioned six files, all were created when 
the system was restored to factory settings. Interestingly 
however, in Phase II, $sosrst.xvd and appswapfile.xvd had 
file creation timestamps of 14:41:33 and 14:41:37 


Name | Size | Type | Date Modified 

J SExtend 1 Directory 1/20/2014 8:50:36 PM 
|_| SAttrDef 3 Regular File 1/20/2014 8:50:36 PM 
|_| $BadClus 0 Regular File 1/20/2014 8:50:36 PM 
|) $Bitmap 1,312 Regular File 1/20/2014 8:50:36 PM 
|_] $Boot 8 Regular File 1/20/2014 8:50:36 PM 
L SB0 4 NTFS Index All... 1/20/2014 8:50:36 PM 
L] SLogFile 65,536 Regular File 1/20/2014 8:50:36 PM 
L ]SMFT 256 Regular File 1/20/2014 8:50:36 PM 
|] SMFTMirr 4 Regular File 1/20/2014 8:50:36 PM 
|_| $Secure 1 Regular File 1/20/2014 8:50:36 PM 
|_| Ssosrst.xvd 105,676 Regular File 1/20/2014 8:55:44 PM 
|] SUpCase 128 Regular File 1/20/2014 8:50:36 PM 
L] $Volume 0 Regular File 1/20/2014 8:50:36 PM 
|_| appswapfile.xvd 2,109,584 Regular File 1/20/2014 8:55:44 PM 
|_| AppTempStorage 3,164,364 Regular File 1/20/2014 8:55:44 PM 
|_| AppUserStorage 1,591,508 Regular File 1/20/2014 8:55:40 PM 
|_| ConnectedStorage-retail 9,548,892 Regular File 1/20/2014 8:55:40 PM 
J GDVRIndex.xvd 103,628 Regular File 1/20/2014 8:54:29 PM 


Fig. 1. Temp content partition root directory after factory restoration. 


Name Size l Type | Date Modified 

J SExtend 1 Directory 1/20/2014 8:50:36 PM 
|_| SAttrDef 3 Regular File 1/20/2014 8:50:36 PM 
|_| $BadClus 0 Regular File 1/20/2014 8:50:36 PM 
|_| SBitmap 1,312 Regular File 1/20/2014 8:50:36 PM 
|_| $Boot 8 Regular File 1/20/2014 8:50:36 PM 
|_| SBo 4 NTFS Index All... 1/22/2014 4:26:57 PM 
|] SLogFile 65,536 Regular File 1/20/2014 8:50:36 PM 
|_| SMFT 256 Regular File 1/20/2014 8:50:36 PM 
|_| SMFTMirr 4 Regular File 1/20/2014 8:50:36 PM 
|_| $Secure 1 Regular File 1/20/2014 8:50:36 PM 
[L] Ssosrstxvd 143,076 Regular File 1/22/2014 4:58:00 PM 
|_| SUpCase 128 Regular File 1/20/2014 8:50:36 PM 
|_| $Volume 0 Regular File 1/20/2014 8:50:36 PM 
|_| appswapfile.xwd 2,109,584 Regular File 1/22/2014 4:55:31 PM 
|_| AppTempStorage 3,164,364 Regular File 1/22/2014 4:58:21 PM 
|_| AppUserStorage 1,591,508 Regular File 1/22/2014 4:56:13 PM 
|_| ConnectedStorage-retail 9,548,892 Regular File 1/22/2014 4:58:24 PM 
|_| GameDVR_25332748535625... 70,828 Regular File 1/22/2014 4:27:34 PM 
|_| GDVRIndex.xvd 103,628 Regular File 1/22/2014 4:28:45 PM 
|_| temp00 2,109,584 Regular File 1/22/2014 2:45:30 PM 
{J temp01 2,109,584 Regular File 1/22/2014 4:13:08 PM 


Fig. 2. Temp content partition root directory after scenarios. 


respectively, on 01/21/2014. This may indicate that some 
feature of the system was used to recreate these files. Both 
files were created at a time that correlated with the 
initialization of playing Battlefield 4 in multiplayer mode 
over Xbox Live. It was also observed that the date modified 
of both files occurred within three minutes of when Dead 
Rising 3 started to be played in multiplayer mode. 

On this basis, it seems likely that these files relate to 
connecting to Xbox Live and playing games with other 
users, so for instance, they may contain gamertags of other 
Xbox Live users who had played games/chatted with player 
using the Xbox One. Note that $sosrt.xvd changed during 
the scenario and was likely encrypted during Phase II, as 
the entropy scores changed between phases as shown in 
Table 2. It is possible that $sosrt.xvd is unencrypted until the 
first time the Xbox One device connects to Xbox Live, and 
that a private key associated with the user's Xbox Live ac- 
count is then used to encrypt the file. 

ConnectedStorage-retail was modified at shutdown in 
both phases. Its other timestamps did not help in 
discerning its function, but based on its name we hypoth- 
esize that this file is associated with connecting a memory 
device, such as a flash drive to the Xbox's USB port, or a 
planned expansion for the console. 

Determining the functions of AppTempStorage and 
AppUserStorage proved to be difficult. AppUserStorage was 
last modified at shutdown in Phase I, and when FXNow was 
closed in Phase II. As a result of this, and the fact that the 
application files themselves (see Section System support 
partition) did not change when the respective application 
was used, this led us to hypothesize that AppUserStorage 
held user data for each application. For example, the Skype 
application requires the user to sign in with a login and 
password. This information can be saved so that it does not 
have to be entered each time the application is used; this 
file is where we hypothesize this type of data is held. 


Table 2 
Entropy scores for $sosrt.xvd. 


File Phase I Entropy Score Phase II Entropy Score 


$sosrt.xvd 4.160208895 7.89634165767 
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The AppTempStorage was updated in each phase at sys- 
tem shutdown. Based on its name, we hypothesized that 
the file contained temporary information for applications, 
which ensured that data would not be lost due to an un- 
expected shutdown. 

Three new files were created in this partition during 
Phase II, GameDVR_25332748 ... 15f2.xvd, temp00, and 
temp01. 

The GameDVR_25 ... f2.xvd file was not difficult to 
decipher. The file name itself pointed towards the Game 
DVR function of the Xbox One, and the date modified 
seemed to confirm this suspicion, as 4:28 PM on 1/22/2014 
was the last time a game clip was recorded to the console. 
Its entropy score was 7.83 bits per byte, suggesting a 
compressed format such as compressed video, consistent 
with our expectations. 

The names of the temp00 and temp01 files were not as 
clear as the GameDVR_25..f2.xvd file, but the timestamp of 
each file's creation found in the MFT suggests the function 
of both files. The Xbox One backs up data of video games on 
the cloud, so for instance if a user were to play a game ona 
friend's console, they would not lose any progress that was 
made when they continue playing on their own system. 
When a game is started, the system checks the cloud to 
determine if synchronization is necessary. Due to the fac- 
tory reset, cloud synchronization was necessary and 
occurred the first time that both games were started during 
Phase II of the research. The modification times seen in 
Fig. 2 of temp00 and temp01 align with these events, for 
Battlefield 4 and Dead Rising 3 respectively. 


User content partition 


The contents of the root directory of the user content 
partition are shown in Figs. 3 and 4. 

The files of interest were the last 8 files in Fig. 4, whose 
file names are strings of hexadecimal digits. As can be seen, 
the file names gave no clue to what the actual file was in 
this instance, however, there were a couple of aspects of the 
metadata that were of particular importance, namely the 
file sizes and the timestamps. 

Due to the size of the installed games being freely 
available from Microsoft, the two chosen games (Battlefield 
4 and Dead Rising 3) could be assumed to be the files of 
35,981,096 bytes and 25,992,304 bytes respectively. This 
led to the hypothesis that the remaining six files were in 
fact the applications or settings that were downloaded 
during scenario testing. Information on the size of the 


Name Size | Type Date Modified 

Ji SExtend 1 Directory 1/20/2014 8:50:36 PM 
|_| SAttrDef 3 Regular File 1/20/2014 8:50:36 PM 
|_| $BadClus 0 Regular File 1/20/2014 8:50:36 PM 
|_| SBitmap 11,680 Regular File 1/20/2014 8:50:36 PM 
|_| $Boot 8 Regular File 1/20/2014 8:50:36 PM 
|_| $Bo 4 NTFS Index All... 1/20/2014 8:50:36 PM 
|_| SLogFile 65,536 Regular File 1/20/2014 8:50:36 PM 
LI SMFT 256 Regular File 1/20/2014 8:50:36 PM 
|_| SMFTMirr 4 Regular File 1/20/2014 8:50:36 PM 
L] $Secure 1 Regular File 1/20/2014 8:50:36 PM 
|_| SUpCase 128 Regular File 1/20/2014 8:50:36 PM 
|_| $Volume 0 Regular File 1/20/2014 8:50:36 PM 


Fig. 3. User content partition root directory after factory restoration. 


Name Size | Type Date Modified | 
P) SExtend 1 Directory 1/20/2014 8:50:36 PM 
|_| SAttrDef 3 Regular File 1/20/2014 8:50:36 PM 
[_] SBadClus 0 Regular File 1/20/2014 8:50:36 PM 
|_| SBitmap 11,680 Regular File 1/20/2014 8:50:36 PM 
|_| $Boot 8 Regular File 1/20/2014 8:50:36 PM 
_| SBo 4 NTFSIndexAll... 1/20/2014 8:50:36 PM 
|_| SLogFile 65,536 Regular File 1/20/2014 8:50:36 PM 
| SMFT 256 Regular File 1/20/2014 8:50:36 PM 
| SMFTMirr 4 Regular File 1/20/2014 8:50:36 PM 
LJ $Secure 1 Regular File 1/20/2014 8:50:36 PM 
|_| SUpCase 128 Regular File 1/20/2014 8:50:36 PM 
| $Volume 0 Regular File 1/20/2014 8:50:36 PM 
|_| 13096BD0-8237-47FA-80BE-... 59,652 Regular File 1/21/2014 3:18:54 PM 
|_| 168859A8-2F07-4C63-9F3A-... 35,981,096 Regular File 1/21/2014 5:25:09 A... 
|_| 242BF9CE-DA7C-4872-805E... 48,708 Regular File 1/21/2014 2:44:42 PM 
|_| 508CC49E-41 EC-4836-B927... 27,512 Regular File 1/22/2014 4:48:36 PM 
|_| B0655109-C128-4519-9E36-... 38,452 Regular File 1/21/2014 2:43:20 PM 
|_| B72D5AA7-6941-472A-8AS... 42,556 Regular File 1/22/2014 4:42:27 PM 
|_| D0134385-33C0-4382-BE31-... 22,036 Regular File 1/21/2014 2:46:40 PM 
|_| FD10657E-CB08-455B-A0D3... 25,992,304 Regular File 1/22/2014 4:09:29 PM 


Fig. 4. User content partition root directory after scenarios. 


applications was not freely available as it was with the 
video games, therefore, further conclusions could not be 
reached without more information. After parsing the MFT 
for this partition, we obtained the timestamps for these 
smaller files. This allowed us to match files with corre- 
sponding game/application installations/executions in our 
scenario by timestamps if not by file size. Our mapping is 
shown in Table 3. 

Conversely, the timestamps of file modification for 
Battlefield 4 and Dead Rising 3 did not coincide with the 
dates they were installed. This led us to hypothesize that 
the games write to the disk periodically when played (e.g. 
while saving the player's progress), thereby changing the 
file modification timestamp of their corresponding file. 
This is supported by the observation that their file modi- 
fication times coincided with time that each game was last 
played. The creation timestamps were consistent with 
installation times of each game, consistent with our iden- 
tification of each file by the known size of the game's 
installation footprint. 

These files had entropy scores consistent with encryp- 
ted and/or compressed data (7.99 bits by byte). We believe 
the files are likely heavily compressed to conserve space, 


Table 3 
File name with its corresponding usage scenario. 


File name Related game/ 


Application 


168859A8-2F07-4C63-9F3A- Battlefield 4 


B89D056B6239 

B0655109-C128-4519-9E36- Xbox Video 
0D370809CDOE 

242BF9CE-DA7C-4872-805E- Skype 
E873ADB32C07 

D0134385-33C0-4382-BE3 1- Twitch 
58C4CF4F453E 

13096BD0-8237-47FA-80BE- YouTube 
29A3563CFOBF 

FD10657E-CB08-455B-A0D3- Dead Rising 3 
0088CC93EAED 

B72D5AA7-6941-472A-8A5C- Xbox Music 
8BACE4DOB6DF 

508CC49E-41 EC-4836-B927- FXNow 
C941BEAF4D6E 
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Name Size | Type Date Modified 

J) SExtend 1 Directory 1/20/2014 8:50:37 PM 
|_| SAttrDef 3 Regular File 1/20/2014 8:50:37 PM 
|_| $BadClus 0 Regular File 1/20/2014 8:50:37 PM 
|_| SBitmap 1,280 Regular File 1/20/2014 8:50:37 PM 
|_| $Boot 8 Regular File 1/20/2014 8:50:37 PM 
LI SB0 4 NTFS Index All... 1/20/2014 8:50:37 PM 
|_| SLogFile 65,536 Regular File 1/20/2014 8:50:37 PM 
|_| SMFT 256 Regular File 1/20/2014 8:50:37 PM 
L] SMFTMirr 4 Regular File 1/20/2014 8:50:37 PM 
L] $Secure 1 Regular File 1/20/2014 8:50:37 PM 
|_| $UpCase 128 Regular File 1/20/2014 8:50:37 PM 
|_| $Volume 0 Regular File 1/20/2014 8:50:37 PM 
L] cms.xvd 8,487,908 Regular File 1/20/2014 8:55:44 PM 


Fig. 5. System support partition root directory after factory restoration. 


and possibly encrypted to minimize the risk of software 
piracy. 


System support partition 


There were several files to note in this partition, namely 
the cms.xvd file, the esram.bin file, and eight files with an 
xvi extension. (Figs. 5 and 6) 

In Phase I the timestamp for the last time that cms.xvd 
was modified occurred when the system was shutdown. 
Similarly, in Phase II, the last modified timestamp aligned 
with the time that the system was shutdown. As shutdown 
was the only event that the timestamps for cms.xvd aligned, 
the actual contents of the file could not be hypothesized. 

Due to its size, name, and the fact that the esram.bin file 
was not created until 1/22/2014 at 06:45:49, we hypothe- 
size that it corresponded to the 32 MB of embedded static 
RAM (esRAM) storage found in the Xbox One. The entropy 
score of esram.bin was 6.7 bits per byte, a comparable en- 
tropy score to most JPEG graphics files reported by Shannon 
[16]. 

It was observed that eight of the files on this partition 
had the same file name as the downloaded applications and 
games found in the user content partition (see Fig. 4), but 
have a file extension of .xvi. Their file creation time corre- 
sponded to the time that each application/game was 
installed. We found no special headers for the .xvi file type, 
nor were the contents able to be read. Entropy scores were 
very low (e.g. D0134385-33C0-4382-BE31- 
58C4CF4F453E.xvi had an entropy score of just 0.08 bits per 
byte) — so low that we did not know what to make of them. 


|_| B0655109-C128-4519-9E36-0D370809CDOE.xvi 
J B72DSAA7-6941-472A-8A5C-8BACE4DOB6DF.xvi 


Regular File 1/22/2014 4:42:07 PM 
Regular File 1/22/2014 4:44:47 PM 


Name Size | Type Date Modified 
a SExtend 1 Directory 1/20/2014 8:50:37 PM 
LJ SAttrDef 3 Regular File 1/20/2014 8:50:37 PM 
J SBadClus 0 Regular File 1/20/2014 8:50:37 PM 
LJ SBitmap 1,280 Regular File 1/20/2014 8:50:37 PM 
LJ $Boot 8 Regular File 1/20/2014 8:50:37 PM 
JsBo 4 NTFSIndex All... 1/20/2014 8:50:37 PM 
J SLogFile 65,536 Regular File 1/20/2014 8:50:37 PM 
J SMFT 256 Regular File 1/20/2014 8:50:37 PM 
LJ SMFTMirr 4 Regular File 1/20/2014 8:50:37 PM 
L] SSecure 1 Regular File 1/20/2014 8:50:37 PM 
L] SUpCase 128 Regular File 1/20/2014 8:50:37 PM 
LJ SVolume 0 Regular File 1/20/2014 8:50:37 PM 
|_)13096BD0-8237-47FA-80BE-29A3563CFOBF.xvi 4 Regular File 1/22/2014 2:46:23 AM 
|_)168859A8-2F07-4C63-9F3A-B89D056B6239.xvi 4 Regular File 1/22/2014 2:45:30 PM 
|) 242BF9CE-DA7C-4872-805E-£873ADB32C07 xvi 4 Regular File 1/21/2014 3:40:45 PM 
|_| 508CC49E-41 EC-4836-B927-C941 BEAFAD6E.xvi 4 Regular File 1/22/2014 4:52:47 PM 

4 

4 


LJ cmsxvd 8,487,908 Regular File 1/22/2014 4:58:13 PM 
|_| D0134385-33C0-4382-BE31 -58C4CF4F453E.xvi 4 Regular File 1/22/2014 4:49:32 PM 
Å esram.bin 32,768 Regular File 1/22/2014 4:40:53 PM 
|_| FD10657E-CB08-455B-A0D3-0088CCO3EAED.xvi 4 Regular File 1/22/2014 4:12:41 PM 


Fig. 6. System support partition root directory after scenarios. 


Name Size | Type Date Modified 

Ji SExtend 1 Directory 8/30/2013 5:47:14 AM 
ba 1 Directory 8/30/2013 5:47:18 AM 
We 1 Directory 12/11/2013 3:50:25 PM 
|_| SAttrDef 3 Regular File 8/30/2013 5:47:14 AM 
[_] $BadClus 0 Regular File 8/30/2013 5:47:14 AM 
|_| SBitmap 384 Regular File 8/30/2013 5:47:14 AM 
|_| SBoot 8 Regular File 8/30/2013 5:47:14 AM 
|_| SBo 4 NTFS Index All... 8/30/2013 5:47:18 AM 
|_| SLogFile 64,976 Regular File 8/30/2013 5:47:14 AM 
|_| SMFT 256 Regular File 8/30/2013 5:47:14 AM 
L] SMFTMirr 4 Regular File 8/30/2013 5:47:14 AM 
|_| $Secure 1 Regular File 8/30/2013 5:47:14 AM 
|_| SUpCase 128 Regular File 8/30/2013 5:47:14 AM 
L] SVolume 0 Regular File 8/30/2013 5:47:14 AM 
|_|] updater.xvd 45,284 Regular File 12/11/2013 3:47:46 PM 


Fig. 7. System update partition both before and after use. 


Therefore, the function of these particular files was not 
determined. These files will be included in the data set that 
will be released (see Section Contribution). 


System update and system update 2 partition 


Both of these partitions showed alternations only to 
existing files between Phase I and Phase II, with no new 
files created. Figs. 7 and 8 display the partition's root 
contents. 

This Xbox One was purchased on 11/30/2013 and was 
first set up by the user on 12/3/2013. Directories A and B 
were both created on the same time and day, 8/30/2013 
05:47:18. Directory A contained six files that had a modifi- 
cation timestamp on 12/3/2013 with times ranging from 
10:12:20 to 10:15:33 PM, a date and time that coincided 
with the initial set up of the system by the user. Directory B, 
its contents, and updater.xvd were last modified on 12/11/ 
2013 between times 3:47:46 and 3:51:14 PM, a date and 
times that corresponded to the latest system update 
received by the Xbox One. We concluded that these files 
therefore related to system configuration and updates and 
were unlikely to contain user data. 


XVD files 


Some of the partitions, mainly in directories A and B of 
the system update partition (Figs. 9 and 10), contained files 
with an extension of xvd. Other appearances of the xvd 
extension were seen with the files: cms.xvd, $sosrst.xvd, 


appswapfile.xvd, GameDVR.xvd, GDVRIndex.xvd, and 

updater.xvd. 
Name Size | Type | Date Modified 

W SExtend 1 Directory 8/30/2013 5:47:15 AM 
|_] SAttrDef 3 Regular File 8/30/2013 5:47:15 AM 
|] $BadClus 0 Regular File 8/30/2013 5:47:15 AM 
|_| $Bitmap 224 Regular File 8/30/2013 5:47:15 AM 
|_| SBoot 8 Regular File 8/30/2013 5:47:15 AM 
|_| SBo 4 NTFS Index All... 8/30/2013 5:47:15 AM 
|] SLogFile 38,752 Regular File 8/30/2013 5:47:15 AM 
|_| SMFT 256 Regular File 8/30/2013 5:47:15 AM 
[_] SMFTMirr 4 Regular File 8/30/2013 5:47:15 AM 
|_| $Secure 1 Regular File 8/30/2013 5:47:15 AM 
|_| SUpCase 128 Regular File 8/30/2013 5:47:15 AM 
L] $Volume 0 Regular File 8/30/2013 5:47:15 AM 


Fig. 8. System update 2 partition both before and after use. 
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Name Size | Type Date Modified 

LJ $Bo 4 NTFS Index All... 8/30/2013 5:47:18 AM 
|_] deltas.xvd 349,356 Regular File 12/3/2013 10:14:00 PM 
|_| ExtraSettings.xvd 16,500 Regular File 5/25/2013 4:02:38 PM 
|_| SettingsTemplate.xvd 37,144 Regular File 12/3/2013 10:12:39 PM 
|_| sosinitxvd 24,204 Regular File 12/3/2013 10:12:20 PM 
|_| sostmpl.xvd 63,516 Regular File 12/3/2013 10:12:28 PM 
|] systemavd 870,596 Regular File 12/3/2013 10:15:13 PM 
|_| systemauxxvd 273,876 Regular File 12/3/2013 10:15:33 PM 


Fig. 9. Directory A of system update partition. 


The string of msft-xvd was observed in every xvd file at 
addr 0x200. The other content was non-human readable, 
although the entropy scores of various xvd files suggest 
that not every xvd file is actually the same file type. The 
format may simply be a “wrapper” around other binary 
data. Occasionally, we noted that the entropy scores 
changed between Phase I and Phase II, showing that an 
encryption or compression takes place after the user con- 
nects to Xbox Live or during use in Phase II. The entropy 
scores for a collection of xvd files are shown for each phase 
in Table 4. 

There is much speculation in the Xbox modding com- 
munity as to what the xvd file type is. Modders have been 
examining this file type since the release of the system and 
have advanced a variety of opinions as to its function. Some 
believe that these files are modified Windows Imaging 
Format (WIM) files, others believe that it is a brand-new, 
custom format developed by Microsoft, though, the major- 
ity of the community believes the files are package files, a 
much more complex and secured version of the Xbox 360 
Secure Transacted File System (STFS) packages (HorizonMB, 
2013). The STFS was the file system used by the Xbox 360 for 
all packages created and downloaded by the system (Free60, 
2014). It is our opinion, based on entropy score disparity, 
that the Xbox One's xvd files actually belong to a variety of 
different types all with the same file extension. 

We released an obtainable data set of these files avail- 
able to the forensic community so that additional research 
may be conducted without the need for an Xbox One (see 
Section Contribution). 


Network forensics 


No passwords or user names were found when 
capturing the network traffic, however, we were able to 
discern when a user signed in due to the sequence of 
captured files as shown in Fig. 11. The file name highlighted 
in Fig. 11 did not appear in any other scenario tested, only 
when a user was signed in, which indicated that this cer- 
tificate was used to verify user sign in. 

It seemed that each application tested employed its own 
measure of security. For instance, Skype seemed to be fully 
encrypted. You could not see any of the messages sent or 


Name Size | Type Date Modified 

|_| deltas.xvd 165,756 Regular File 12/11/2013 3:49:03 PM 
|_| SettingsTemplatexvd 37,144 Regular File 12/11/2013 3:48:05 PM 
|_| sosinitawd 24,204 Regular File 12/11/2013 3:48:15 PM 
|_| sostmplavd 63,516 Regular File 12/11/2013 3:48:36 PM 
|_| system.xvd 870,596 Regular File 12/11/2013 3:50:25 PM 
|_] systemaux.xvd 273,876 Regular File 12/11/2013 3:51:14 PM 


Fig. 10. Directory B of system update partition. 


Table 4 
Rounded entropy scores (in bits per byte) of xvd files. 


File name Phase I Entropy Score Phase II Entropy Score 
$sosrst.xvd* 4.1602 7.8963 
GDVRIndex.xvd 1.5438 1.5438 
systemaux.xvd* 5.3353 7.8229 
SettingsTemplate.xvd 7.5681 7.5681 
deltas.xvd 7.6256 7.6256 
sostmpl.xvd 6.5402 6.5402 
system.xvd* 5.3031 7.9995 
updater.xvd 7.8123 7.8123 


* Entropy score changed between Phases | and II. 


received, or hear any of the VOIP conversations. However, 
we were able to see exactly when Skype was started up by 
the Transport Layer Security (TLS) Certificate found, its 
timestamp correlated with the time that we had started 
Skype, but that was the extent of what could be seen. 

On the other hand, the Twitch TV, YouTube, Game DVR, 
and Internet Explorer applications actually allowed us to 
view what the user was doing. It was possible to see when 
the user was on the Twitch TV application as well as the 
stream that they were viewing. This information could be 
discerned from the files tab of NetworkMiner as shown in 
Fig. 12. With this information, it was clear that the user was 
watching the nightblue3 stream. 

The YouTube application only allowed us to view a 
portion of the actual video that was viewed and the link 
found did not tie back to the exact URL of the viewed video. 
Therefore, determining the exact video watched may prove 
difficult to determine. 

We were able to view the entire game clip that was 
watched on the Game DVR application. An image of this can 
be seen in Fig. 13. 

The Internet Explorer application allowed us to capture 
data as if the user was browsing the web on their computer. 
Therefore, we were able to see exactly what the user did on 
any site that did not have ample security to prevent us from 
viewing the traffic. 

When we investigated the network traffic of both 
games, Battlefield 4 and Dead Rising 3, we discovered that 
the network traffic was encrypted. We could not see the 
exact actions that took place, meaning we could not see the 
mode the user was playing in or who they were playing 
with, however we were able to tell what game was being 


D. port Protocol Filename Extension Size 
TCP 50... TisCertificate licensing xboxlive.com[10].cer cer 1569B 
TCP 50... TisCertificate MSIT Machine Auth CA 2[10].cer cer 1548B 
TCP 50... TisCertificate Microsoft Intemet Author[10].cer cer 1285B 
TCP 50... TisCertificate xboxlive.com.cer cer 1590B 
TCP 50... TisCertificate MSIT Machine Auth CA 2.cer cer 1548B 
TCP 50... TisCertificate Microsoft Intemet Author.cer cer 1285B 
TCP 50... TisCertificate accounts xboxlive.com.cer cer 1568 B 
TCP 50... TisCertificate MSIT Machine Auth CA 2.cer cer 1548B 
TCP 50... TisCertificate Microsoft Intemet Author.cer cer 12858 
TCP 50... TisCertificate accounts xboive.com[1].cer cer 1568B8 
TCP 50... TisCertificate MSIT Machine Auth CA 2[1].cer cer 1548B 
TCP 50... TisCertificate Microsoft Intemet Author[1].cer cer 12858 
TCP 50... TisCertificate userpresence xboxlive.com[2].cer cer 1637B 
TCP 50... TisCertificate MSIT Machine Auth CA 2[2].cer cer 1548B 
TCP 50... TisCertificate Microsoft Intemet Author[2].cer cer 1285B | 
TCP 50... TisCertificate userpresence xboxlive.com[3].cer cer 1637B 


Fig. 11. Captured data when signing in. 
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Details 

28 AM usher justin .tv/api/channel/hls/nightblue3.m3u8token={"user_id" null, "channel”:"nightblue3","expires" 
po AM video3.iad02 hls twitch tv/hls$4/nightblue3_9310351552_87830761ow/indexdive.m3u8%token=id=892 
po AM video3 iad02 hls twitch tv/hls94/nightblue3_9310351552_87830761 /high/indexdive m3u8%oken=id=89 
29 AM video3 iad02 hls twitch tv/hls$4/nightblue3_9310351552_87830761/medium/index-ive.m3u8%oken=id: 
29 AM video3.iad02 hls twitch tv/hls94/nightblue3_9310351552_87830761Aow/index-0000006700-cRCH ts 
pS AM video3 iad02 hls twitch tv /hls94/nightblue3_9310351552_87830761/mobile/index ive. m3u8%oken=id=! 
29 AM video3 iad02.his twitch tv /hls94/nightblue3_9310351552_87830761 /high/indexive m3u8%oken=id=89 
i) AM video3 iad02 his twitch tv/hls94/nightblue3_9310351552_87830761 /high/index-0000006701-1gPJ ts 

pO AM video3 iad02 hls twitch tv/hls94/nightblue3_9310351552_87830761 /high/index-0000006702-vgEF ts 

è 1AM video3 iad02 his twitch tv /hls94/nightblue3_9310351552_87830761 /high/index-0000006703-WWLS9ts 
pI AM video3 iad02 hls twitch tv/hls94/nightblue3_9310351552_87830761 /high/index-0000006704-7h29ts 

p2 AM video3 iad02.hls twitch tv /hls94/nightblue3_9310351552_87830761 /high/index-0000006705-4217ts 

33 AM video3 iad02.hls twitch tv /hls94/nightblue3_9310351552_87830761 /high/index-0000006706-p6l ts 

p4 AM video3 jad02 hls twitch tv/hls94/nightblue3_9310351552_87830761 /high/indexdive m3u8%oken=id=89 
p4 AM video3 iad02 his twitch tv/his94/nightblue3_9310351552_87830761 /high/index-0000006707-0wXxd ts 
8 AM video3 iad02 his twitch tv/hls94/nightblue3_9310351552_87830761 /high/index-ive m3u8%oken=id=89 


Fig. 12. Captured data from Twitch TV. 


played by the captured traffic. Battlefield 4 was distin- 
guished by a TLS Certificate shown in Fig. 14. The initiation 
of Dead Rising caused a lot of network traffic, and although 
the content of the files was illegible they could be directly 
linked to Dead Rising by their file name. (Fig. 15) 


Future work 


More research is needed with regard to the Xbox One, 
its file system, and the encryption methods used. Under- 
standing the file types (and potentially, sub-types) found 
within the Xbox One, such as .xvd and .xvi, is necessary to 
further examine the console. Although many of these files 
seem, on the basis of their entropy scores, to be encrypted 
(or at least compressed with an unknown scheme), some 
files were not, and these should therefore be priorities for 
reverse engineering. 

It may also prove valuable to look at an Xbox One hard 
disk drive when it is first shipped. The hard drive employed 
in this experimental work had been used prior to selecting 
it. Although it was restored to factory settings, it may prove 
useful to see what, if anything, is dissimilar between a 
factory restored drive versus a newly shipped drive. 

Amore thorough examination of the Xbox Live network is 
needed. There are many other applications and games that 
need to be tested. Additionally, there is a mobile phone 


Fig. 13. Captured video from Game DVR. 
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1285B 4/23/2014 12:47:11 PM TI 


50. TisCertificate Microsoft Intemet Author[2].cer cer 
90. TisCertificate bf4.gos.ea.com.cer cer 1364B 4/23/2014 12:47:11 PM TI 
50... TisCertificate VeriSign Class 3 Secure S.cer cer 1520B 4/23/2014 12:47:11 PM TI 


Fig. 14. Captured data from Battlefield 4. 


application known as Smart Glass that allows the user to 
interact with the Xbox through their phone. It would be of 
interest to examine this relationship to see what data can be 
found in the transmissions between the phone and Xbox One. 

A database could be made containing all of the down- 
loaded material available for the Xbox One, along with hash 
values and the file sizes of that material. This would allow 
for quick identification of different applications, games, or 
other downloaded material, thereby making investigations 
involving this device more efficient. 


Conclusions 


This research provides the initial foundation for under- 
standing how an Xbox One can be examined in a forensically 
sound manner. Even without modifications, the Xbox One is 
avery powerful computing device and should not be seen as 
just a gaming console; it is marketed for its multimedia 
capabilities just as much as it is for its video games. As with 
the previous generations of video game consoles, crime will 
undoubtedly take place involving the Xbox One, both over 
Xbox Live and locally, thus making it essential that in- 
vestigators understand how to analyze the system. 

The complexity of the Xbox One seems greater than its 
predecessors. It appears to make heavy usage of encryption 
(at least after connection to Xbox Live), and its new file 
types made it extremely difficult to discern any informa- 
tion. We were not able to determine exactly when or how 
the user used applications, watching television did not 
seem to log any data on the system, and signing in to the 
user's profile could not be determined from the metadata 
alone. The data contained in the MFT along with informa- 
tion ascertained from this research can be of great impor- 
tance to investigators. We were able to retrospectively link 
files to the games and applications that were installed on 
the Xbox One, we could see when the console was last 
shutoff, we could see when the system was restored to 
factory settings, and were even able to determine the first 
time the user ever used the system. The metadata found in 
the MFT can be used by investigators to develop timelines, 
patterns of use, and corroborate a story. 


xt Protocol Filename Extension Size Timestamp D 
50... HttpGetNomal  deadrising3_1.0.0.5_b¢ bt 4096B 4/23/2014 12:55:43 PM ic 
50... HttpGetNormal deadrising3_1.0.0.5_[1].o¢ bt 4096B8 4/23/2014 12:55:43 PM ic 
50... HttpGetNormal  deadrising3_1.0.0.5_[2]b¢ bt 4096B 4/23/2014 12:55:43 PM ic 
50... HttpGetNormal  deadrising3_1.0.0.5_[3]bt bt 32768B 4/23/2014 12:55:43 PM ic 
50... HttpGetNormal deadrising3_1.0.0.5_[4].b¢ bt 4096B 4/23/2014 12:55:43 PM ic 
50... HttpGetNomal  deadrising3_1.0.0.5. [5] bt ot 327688 4/23/2014 12:55:43 PM ic 
50... HitpGetNormal  deadrising3_1.0.0.5_[6]bt bt 4096B 4/23/2014 12:55:43 PM ic 
50... HttpGetNomal deadrising3_1.0.0.5._ [7] bt ot 16384B 4/23/2014 12:55:43 PM ic 
50... HttpGetNormal  deadrising3_1.0.0.5_[8]bt ot 4096B 4/23/2014 12:55:43 PM ic 
50... HitpGetNormal —_deadrising3_1.0.0.5_[9]bt bt 40968 4/23/2014 12:55:43 PM ic 
50... HttpGetNormal  deadrising3_1.0.0.5_[10] b4 ot 40968 4/23/2014 12:55:44 PM ic 
50... HitpGetNormal  deadrising3_1.0.0.5_{11]b¢ bt 4096B 4/23/2014 12:55:44 PM ic 
50... HitpGetNormal  deadrising3_1.0.0.5_[12}b¢ bt 4096B 4/23/2014 12:55:44 PM ic 
50... HttpGetNormal  deadrising3_1.0.0.5_113]b¢ bt 327688 4/23/2014 12:55:44 PM ic 
50... HttpGetNomal  deadrising3_1.0.0.5 [14] b¢ bt 32768B 4/23/2014 12:55:44 PM ic 
50... HitpGetNormal  deadrising3_1.0.0.5_[15]b¢ bt 4096B 4/23/2014 12:55:44 PM ic 
50... HttpGetNormal  deadrising3_1.0.0.5_[16]b¢ bt 40968 4/23/2014 12:55:44 PM ic 
50... HitpGetNormal  deadrising3_1.0.0.5_{17] ba bt / 


4096B 4 PM ic 


Fig. 15. Captured data from Dead Rising 3. 
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We also noted that the network traffic that was captured 
varied based on what specific applications were being used. 
Each application had different levels of security associated 
with them, for example we were not able to see the calls or 
messages made with Skype but we were able to view the 
exact game clip that was watched during the use of the 
Game DVR application. The video games themselves were 
secure. We were able to discern which game was being 
played but the actions that took place during play were not 
discovered. 
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